From: Per Forlin <[email protected]>
In fwsignal.c: brcmf_fws_commit_skb()
...
if (rc < 0) {
entry->transit_count--;
if (entry->suppressed)
entry->suppr_transit_count--;
(void)brcmf_proto_hdrpull(fws->drvr, false, skb, NULL);
^^^^^^^
goto rollback;
}
...
The call to hdrpull will trigger a null pointer exception
unless a null check is made in the method implementation.
Signed-off-by: Per Forlin <[email protected]>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
index 6af658e..81727da2 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
@@ -321,7 +321,8 @@ brcmf_proto_bcdc_hdrpull(struct brcmf_pub *drvr, bool do_fws,
if (pktbuf->len == 0)
return -ENODATA;
- *ifp = tmp_if;
+ if (ifp != NULL)
+ *ifp = tmp_if;
return 0;
}
--
2.1.4
> From: Per Forlin <[email protected]>
>
> In fwsignal.c: brcmf_fws_commit_skb()
> ...
> if (rc < 0) {
> entry->transit_count--;
> if (entry->suppressed)
> entry->suppr_transit_count--;
> (void)brcmf_proto_hdrpull(fws->drvr, false, skb, NULL);
> ^^^^^^^
> goto rollback;
> }
> ...
>
> The call to hdrpull will trigger a null pointer exception
> unless a null check is made in the method implementation.
>
> Signed-off-by: Per Forlin <[email protected]>
Thanks, applied to wireless-drivers-next.git.
Kalle Valo